GravityRAT: the trojan with a unique trick for evading analysis
GravityRAT, a remote access trojan targeting organisations across India, boats an unusual trick for evading analysis: taking a reading of the target computer’s temperature.
The trojan only detonates its payload if the thermal reading is below a certain level, because a high temperature suggests the device is running a series of virtual machines – digital chambers used by researchers to isolate and analyse malware as part of a process called “sandboxing”.
In a blog published by Cisco Talos, researchers Warren Mercer and Paul Rascagneres explain that the virus has remained under the radar for the last two years, while its developers have made a series of improvements.
“We’ve seen file exfiltration, remote command execution capability and anti-VM techniques added throughout the life of GravityRAT,” they write. “This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor
Once the document has been opened, a macro copies the active document, renames it as a zip archive, extracts the malicious .exe file stored within it and then schedules this file for execution every day.
The researchers add: “With this approach, the attacker ensures that there is no direct execution (the executable is executed thanks to scheduled tasks), there’s no download of an additional payload, and finally, the author uses the fact that the docx format is an archive in order to include its executable (GravityRAT).”
Source | newstatesman